CVE-2014-7809

EPSS 7.5%

Cross-Site Request Forgery in Apache Struts

發布日:2022/5/14修改日:2024/12/6

描述

Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.

受影響套件(1)

Maven/org.apache.struts:struts2-corefrom 0, < 2.3.20

參考連結(8)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-7809
PATCHhttps://github.com/apache/struts
WEBhttp://packetstormsecurity.com/files/129421/Apache-Struts-2.3.20-Security-Fixes.html
WEBhttps://github.com/apache/struts/commit/1f301038a751bf16e525607c3db513db835b2999
WEBhttp://struts.apache.org/docs/s2-023.html
WEBhttps://web.archive.org/web/20150201180327/http://www.securitytracker.com/id/1031309
WEBhttps://web.archive.org/web/20150820131625/http://www.securityfocus.com/bid/71548
WEBhttps://web.archive.org/web/20201023114849/http://www.securityfocus.com/archive/1/534175/100/0/threaded